This is great stuff! I'm trying to connect to a server at 192.168.1.20. It is a Ubiquiti ethernet radio. In your example, you create a connection to the (http://loboris.eu/ESP32/test.php) domain. The output you get if verbose is enabled is

When negotiating a TLS or SSL connection, the server sends a certificate indicating its identity. Curl verifies whether the certificate is authentic, i.e. that you can trust that the server is who the certificate says it is. This trust is based on a chain of digital signatures, rooted in certification authority (CA) certificates you supply. curl uses a default bundle of CA certificates (the path for that is determined at build time) and you can specify alternate certificates with the CURLOPT_CAINFO option or the CURLOPT_CAPATH option.

When CURLOPT_SSL_VERIFYPEER is enabled, and the verification fails to prove that the certificate is authentic, the connection fails. When the option is zero, the peer certificate verification succeeds regardless.

Authenticating the certificate is not enough to be sure about the server. You typically also want to ensure that the server is the server you mean to be talking to. Use CURLOPT_SSL_VERIFYHOST for that. The check that the host name in the certificate is valid for the host name you're connecting to is done independently of the CURLOPT_SSL_VERIFYPEER option.

WARNING: disabling verification of the certificate allows bad guys to man-in-the-middle the communication without you knowing it. Disabling verification makes the communication insecure. Just having encryption on a transfer is not enough as you cannot be sure that you are communicating with the correct end-point.

, so the connection to your host should succeed regardless of certificate is found or not.
The connection to the included example https server always succedees, and I've tried with many other servers, for example https://google.com.

The function should not hang, the curl timeout in the example is set to 20 seconds, so the function should return after 20 s with error if the connection is not successful.

Have you done any https post requests or just get requests? Would that make a difference???

I think I might have found something. When I run the code on my mac, it works just fine. When I run it on the ESP32, it hangs (even after 20 seconds). I did verbose on both, and I found a difference in the TLS setting.

I tried the certificate being loaded from memory approach on the ESP32, but the OpenSSL library that comes with the ESP32 lacks several components needed to compile.

I'm not sure if I should try and save the cert somewhere no the esp32 or even how to do that.

Thoughts?

EDIT:

I added
curl_easy_setopt(hnd, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0);
to my code, and the TLS warning went away. Same results. It works on the mac and hangs indefinitely on the ESP32. I disabled the watch dog timer because it was getting triggered.

It appears that the hang may not be within libcurl but with mbedTLS. The following is the output. It stays at connecting indefinitely.

EDIT:
I took a look at the https example on the esp-idf. It uses an external .pem file for certification. In the root directory, a component.mk file is created containing
COMPONENT_EMBED_TXTFILES := server_root_cert.pem. In the root directory, we also have the server_root_cert.pem file. Can I make that work with curl_easy_setopt(handle, CURLOPT_CAINFO, "ca-bundle.crt");
The .pem file is accessed with
extern const uint8_t server_root_cert_pem_start[] asm("_binary_server_root_cert_pem_start");
extern const uint8_t server_root_cert_pem_end[] asm("_binary_server_root_cert_pem_end");
Any ideas on how to make this work or should I approach it a different way? I also use the NVS a lot for storing variables.

I have added the option to enable mbedtls debuging, maybe it could help you to solve your problem.

To enable:
- execute make menuconfig and under Component config → mbedTLS select Enable mbedTLS debugging
- Edit curl_config.h, set MBEDTLS_DEBUG_LEVEL to the debug level you want to use
- Build with mbedtls debugging enabled and flash...

Who is online

About Us

Espressif Systems is a fabless semiconductor company providing cutting-edge low power WiFi SoCs and wireless solutions for wireless communications and Internet of Things applications. ESP8266EX and ESP32 are some of our products.